NIS used to have a major security flaw: it left your password file
readable by virtually anyone in the entire Internet, which made for
quite a number of possible intruders. As long as an intruder knew your
NIS domain name and the address of your server, he could simply send
it a request for the passwd.byname map and
instantly receive all your system's encrypted passwords. With a fast
password-cracking program like crack and a good
dictionary, guessing at least a few of your users' passwords is rarely
a problem.

This is what the securenets option is all
about. It simply restricts access to your NIS server to certain hosts,
based on their IP addresses or network numbers. The latest version of
ypserv implements this feature in two ways. The
first relies on a special configuration file called
/etc/ypserv.securenets and the second
conveniently uses the /etc/hosts.allow and
/etc/hosts.deny files we already encountered in
Chapter 12.[1]
Thus, to restrict access to hosts from within the Brewery, their
network manager would add the following line to
hosts.allow :

ypserv: 172.16.2.

This would let all hosts from IP network 172.16.2.0 access the NIS server. To
shut out all other hosts, a corresponding entry in
hosts.deny would have to read:

ypserv: ALL

IP numbers are not the only way you can specify hosts or networks in
hosts.allow and hosts.deny. Please
refer to the hosts_access(5) manual page on your system
for details. However, be warned that you cannot use host
or domain names for the ypserv entry.
If you specify a hostname, the server tries to resolve this hostname—but
the resolver in turn calls ypserv, and you fall into an
endless loop.

To configure securenets security
using the /etc/ypserv.securenets method, you need
to create its configuration file, /etc/ypserv.securenets.
This configuration file is simple
in structure. Each line describes a host or network of hosts that will be
allowed access to the server. Any address not described by an entry in this
file will be refused access. A line beginning with a # will be
treated as a comment. Example 13-1 shows what a simple /etc/ypserv.securenets
would look like:

The first entry on each line is the netmask to use for the entry, with
host being treated as a special
keyword meaning “netmask 255.255.255.255.” The second entry
on each line is the IP address to which to apply the netmask.

A third option is to use the secure portmapper instead of the
securenets option in
ypserv. The secure portmapper
(portmap-5.0) uses the hosts.allow scheme as well, but
offers this for all RPC servers, not just ypserv.[2]
However, you should not use both the securenets option and the secure
portmapper at the same time, because of the overhead this
authorization incurs.